Ensure data security in a hyper-connected world

Should we remain focused on image quality? Market trends Growing amount of security cameras Skyrocketing petabytes of captured video data Worth $18.28 billion by 2020 (estimated) Compound annual growth rate is forecasted at 22.41% Cyber security is growing Worth $170.21 billion by 2020 (estimated) Compound annual growth rate is forecasted at 9.8% Managed security services cover 40% of security market More detail Increasing number of cameras Need for indisputable evidence (Global market for IP cameras CAGR 20%+) Businesses today demand far more detail from their video surveillance footage than ever before. Higher resolutions, higher frame rates, better light sensitivity and excellent dynamic ranges all matter when it comes to capturing images that can distinguish individuals or objects for irrefutable evidence. Despite the fact that multi megapixel cameras are already more common in today’s market place. We still see a growing demand for more detail. Logical if we consider that highly detailed images make it easy to distinguish individuals or minor details. It significantly increases the effectiveness of retrospective analysis. Also considering the fact that we are still collecting evidence that is disputable Demand for more detail is also logical considering that perpetrators are still set free due to the fact that the evidence is still disputable. Often the poor image quality is to blame. Additionally, we see an increasing number of network cameras. Currently the market is growing above 20 percent per year. These cameras being used in situations from airports to peoples living rooms. For example, there are more than 30 million surveillance cameras operating in the US alone (NBC). Nowadays law enforcement increasingly accepts video data as evidence in court. Of course certain rules have to be obeyed and the authenticity of the video data needs to be proven, yet it becomes more and more admissible. Video surveillance data is increasingly connected across local and global networks. A growing number of edge components (cameras) send their data to core components (servers) over the Internet. Video data more connected 2 Security Systems | ST-VS/MKC | 11/28/2016 © Robert Bosch GmbH 2016. All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.

Should we remain focused on image quality? Consequences Growing amount of security cameras Skyrocketing petabytes of captured video data Worth $18.28 billion by 2020 (estimated) Compound annual growth rate is forecasted at 22.41% Cyber security is growing Worth $170.21 billion by 2020 (estimated) Compound annual growth rate is forecasted at 9.8% Managed security services cover 40% of security market Tons of data to be processed Skyrocketing video data Cyber security market (2020): USD 170.21 billion, CAGR ~10% Storage market (2020): USD 18.28 billion, CAGR 22% What are the consequences of these market trends? It becomes clear that delivering highest quality of video images remains important. However… 1.) It is clear that over time (and already today) we have to process tons of information / data. According to the current Global Forecast from MarketsandMarkets, the storage market is set to reach $18.28 billion by 2020 at a compound annual growth rate (CAGR) of 22.41%. 2.) The fact that video data becomes more connected across local and global networks makes us more vulnerable to cybercrime. The global Cyber Security market size is estimated to grow from $106.32 Billion in 2015 to $170.21 Billion by 2020, at a Compound Annual Growth Rate (CAGR) of 9.8%. Marketsandmarkets.com. Publishing Date: June 2015. But there is also another consequence… But also… 3 Security Systems | ST-VS/MKC | 11/28/2016 © Robert Bosch GmbH 2016. All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.

It leaves surveillance systems vulnerable to cybercrime! 4 Security Systems | ST-VS/MKC | 11/28/2016 © Robert Bosch GmbH 2016. All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.

Safeguard video surveillance data Need for data security in security surveillance Other examples that are not shown on this slide: March 2013: Many low cost manufacturers shipped their products with unauthenticated firmware (FW). It left port 9000 open with Universal Plug and Play (UPnP)* enabled. *) set of networking protocols that permits networked devices, such as personal computers, printers, Internet gateways, Wi-Fi access points and mobile devices to seamlessly discover each other's presence on the network and establish functional network services for data sharing, communications, and entertainment. UPnP is intended primarily for residential networks without enterprise-class devices. June 2015: Buffer overflow vulnerability that can be exploited by a remote attacker for arbitrary code execution run what they want on your device basically. March 2015: NVR hacked an turned into a bitcoin miner. I also heard that an NVR (network video recorder) from the same manufacturer was reworked into a media server while installed and used to play non-sanctioned music to the crowd in the airport. September 2015: Malicious X code used in app downloading malware onto users’ devices But by far the most used method is the user leaves the default password intact! This has become so crazy that manufacturers are shipping stickers on their boxes in bright orange to remind users to change 5 Security Systems | ST-VS/MKC | 11/28/2016 © Robert Bosch GmbH 2016. All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.

Safeguard video surveillance data What to expect? Malware infection via firmware or third party software Side channel attacks Distrubutes Denial of Service attacks (DDOS) Intrusion of privacy Physical theft Privilege misuse Malware aimed at gaining control of systems Program code coming to the system by downloading new fake Software packages. Or by inserting storage media to device which includes viruses, Worms etc. Insider/privilege misuse Once a user have rights to use the system the privileges of the user might know to another person or the person leave the company and his rights are still valid for a period of time. Or a internal person intentional misuses his access against the company. Physical theft or loss Storage media SD card, or HDD are stolen. The whole device camera or storage array are stolen. Denial of service attacks Here traffic is used to make the system unusable. An example is a system is trying to log on in servers and by doing this in high frequency nobody can log in anymore and can use the system. Side channel attacks Open the device or measure electro magnetic waves to find out what the device is executing at the moment. Here it is possible to measure with a spectrum analyzer what the passcode is by just analyzing the BUS traffic and or the EMI spectrum of the device. 6 Security Systems | ST-VS/MKC | 11/28/2016 © Robert Bosch GmbH 2016. All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.

Safeguard video surveillance data What is data security? “Data security means protecting data, such as a database, from destructive forces and from the unwanted actions of unauthorized users.” Securing stored data involves preventing unauthorized people from accessing it as well as preventing accidental or intentional destruction, infection or corruption of information. So back to the basics of data security – lets start with the definition: Data security means protecting data, such as a database, from destructive forces and from the unwanted actions of unauthorized users. Securing stored data involves preventing unauthorized people from accessing it as well as preventing accidental or intentional destruction, infection or corruption of information. Even a single weak link in the surveillance set-up can jeopardize the entire system. E.g. no reset of default passwords on cameras. Many people tend to forget to reset the factory default passwords. In this way it would be very easy for someone externally to obtain access to the data of such camera. 7 Security Systems | ST-VS/MKC | 11/28/2016 © Robert Bosch GmbH 2016. All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.

Bosch four-step approach considering complete infrastructure Keep your video data secure Bosch four-step approach considering complete infrastructure Cameras Storage devices 1: Create trust 2: Secure data 3: User access rights Public Key Infrastructure (PKI) 4: Meet IT industry standards Clients What is needed to ensure data security in a hyper connected world? A systematic approach is needed covering all angles (taking into account the complete network infrastructure). In order to ensure data security we cannot limit ourselves to only edge components (cameras): Cameras (edge devices): Access via passwords and user management, authentication via certificates, data encryption. Servers, clients & storage devices (core devices): Authentication, validity check of live and recorded videos, data encryption. Security infrastructure: Support standard key infrastructures, partnerships with authorized third-party certification. Network protocols: Encryption and data transfer in line with industry standards A systematic approach is key to achieve the highest standards in end-to-end data security. Yet a systematic approach alone is not enough. We need to ensure / manage at least four steps to meet the demands in a hyper-connected world. Four-step approach: We need to create trust amongst all components in the network. Subsequently, data exchanged and stored needs to be secure. Systems and measures need to be in place to easily manage user access rights. Meet leading industry standards in public key infrastructure (PKI). Even a single weak link in the surveillance set-up can jeopardize the entire system 8 Security Systems | ST-VS/MKC | 11/28/2016 © Robert Bosch GmbH 2016. All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.

Our four-step approach: Keep your video data secure Our four-step approach: Step 1: Create trust Assigning each components an authentication key Data exchange only between trusted partners Data of verified devices can serve as legal evidence Step 2: Secure data Creating and distributing cryptographic keys for protecting recorded data Proprietary hardware key protects data even in case of a breach Ensure authenticity of firmware updates Solutions for creating trust @Bosch: All hardware cameras and storage devices have a trusted platform module (TPM) In-house Certification Authority (CA) Support of 3rd party CA Products with certificates ex factory Solutions for securing data @Bosch: Trusted platform module (TPM) Signed streams and recordings Encryption of video, audio, metadata and serial communication 9 Security Systems | ST-VS/MKC | 11/28/2016 © Robert Bosch GmbH 2016. All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.

Our four-step approach: Keep your video data secure Our four-step approach: Step 3: User access rights Only authorized individuals get access to the data Ensure easy management of user access rights Step 4: Meet IT industry standards Meet industry standards in public key infrastructure and IT Support 3rd party solutions for: Public key infrastructure Management of user access rights Solutions for managing user access rights @Bosch: Secure and flexible management of user access rights in our cameras, storage devices and software. Support of 3rd party solutions, like Microsoft Active Directory (as of 2016) Credit: KylaBorg A site linked to 73,011 unsecured security camera locations in 256 countries to illustrate the dangers of using default passwords. Solutions for meeting industry standards @Bosch: Support of Microsoft Active Directory (as of 2016) Support of 3rd party PKI, like SXI (US) In-house CA (Escrypt) to offer own public key infrastructure (as of 2016) Contributing actively to ONVIF Security Working Group to transfer well-established IT standards and encryption methods to the security world 10 Security Systems | ST-VS/MKC | 11/28/2016 © Robert Bosch GmbH 2016. All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.

Our system approach: How we secure our cameras? Keep your video data secure Our system approach: How we secure our cameras? Cameras (edge devices) Only secure connections are possible (HTTPS) Password request at initial set up Unsecure ports for automatic discovery disabled. Universal Plug and Play protocol (UPnP) Unsecure remote communication disabled (Telnet) Uploading of 3rd party software not possible Firmware updates by Bosch signed files only Unique built-in Trusted Platform Module (TPM) safely stores private keys for encryption 11 Security Systems | ST-VS/MKC | 11/28/2016 © Robert Bosch GmbH 2016. All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.

Our system approach: How we secure our core devices Keep your video data secure Our system approach: How we secure our core devices Support of Microsoft Active Directory for safe management of user access rights Digest access authentication only Regular updates via security patches Servers, clients & storage devices (core devices) Cryptographic operations are only executed inside the unique built-in Trusted Platform Module (TPM) Support of Microsoft Active Directory for safe management of user access rights Digest access authentication only Regular updates via security patches Digest access authentication is one of the agreed-upon methods a web server can use to negotiate credentials, such as username or password, with a user's web browser. This can be used to confirm the identity of a user before sending sensitive information, such as online banking transaction history. It applies a hash function to the username and password before sending them over the network. In contrast, basic access authentication uses the easily reversible Base64 encoding instead of encryption, making it insecure unless used in conjunction with SSL. 12 Security Systems | ST-VS/MKC | 11/28/2016 © Robert Bosch GmbH 2016. All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.

Our system approach: How we secure communication Keep your video data secure Our system approach: How we secure communication “Unsecure” ports disabled by default Password assignment suggestion on set up Network authentication using the 802.1x protocol Supports up to 256 bit keys for encryption (Advanced Encryption Standard) Network protocols (communication) Unsecure ports for automatic discovery disabled. Universal Plug and Play protocol (UPnP) Unsecure remote communication disabled (Telnet) Password assignment suggestion on set up Network authentication using the 802.1x protocol Supports up to 256 bit keys for encryption (Advanced Encryption Standard) Cipher suite: is a named combination of authentication, encryption, message authentication code (MAC) and key exchange algorithms used to negotiate the security settings for a network connection using the Transport Layer Security (TLS) / Secure Sockets Layer (SSL) network protocol. Data Encryption Standard: once a predominant symmetric-key algorithm for the encryption of electronic data. It was highly influential in the advancement of modern cryptography in the academic world. DES is now considered to be insecure for many applications. This is mainly due to the 56-bit key size being too small; in January 1999, distributed.net and the Electronic Frontier Foundation collaborated to publicly break a DES key in 22 hours and 15 minutes (see chronology). 13 Security Systems | ST-VS/MKC | 11/28/2016 © Robert Bosch GmbH 2016. All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.

Our system approach: Protecting the infrastructure Keep your video data secure Our system approach: Protecting the infrastructure Factory-loaded unique Bosch signed certificates on all cameras In-house Certificate Authority (Escrypt) Supports customer specific certificates Supports 3rd party PKI solutions Certificates (security infrastructure) Factory-loaded unique Bosch signed certificates on all cameras Built-in Trusted Platform Module (TPM) for highly secure cryptographic operations In-house Certificate Authority (Escrypt) Supports customer specific certificates Supports 3rd party PKI solutions Public Key Infrastructure (PKI) support: E.g. SXI based CHAVE certificates roll-out E.g. Escrypt LRA (Bosch-owned company) 14 Security Systems | ST-VS/MKC | 11/28/2016 © Robert Bosch GmbH 2016. All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.

Keep your video data secure What to expect? Bosch measures: Uploading of 3rd party software not possible Firmware updates by Bosch signed files only Malware infection via firmware or third party software Unique built-in Trusted Platform Module Side channel attacks Distrubutes Denial of Service attacks (DDOS) User access management in the cameras, recording solutions and software Intrusion of privacy Physical theft Privilege misuse Tamper protection standard on all Bosch network video security cameras Support of Microsoft Active Directory Support of token based identification Malware aimed at gaining control of systems Measures from Bosch: Uploading of 3rd party software not possible Firmware updates by Bosch signed files only Insider/privilege misuse Measure from Bosch: User access management in the cameras, recording solutions and software Physical theft or loss Tamper protection standard on all Bosch network video security cameras Side channel attacks Unique built-in Trusted Platform Module (TPM) safely stores private keys for encryption 15 Security Systems | ST-VS/MKC | 11/28/2016 © Robert Bosch GmbH 2016. All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.

Keep your video data secure Educational material Bosch IP Video Data Security Guidebook Network Authentication 802.1x Secure the Edge of the Network - Technical White Paper Trusted Platform Module (TPM) explained - Technical White Paper 16 Security Systems | ST-VS/MKC | 11/28/2016 © Robert Bosch GmbH 2016. All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.

Our focus is to keep your video data secure Thank you